I don't think this activity is limited to 'street view' cars - I don't live in a country where there are any roaming the city at all, yet every mac address for all the access points I own can be located by entering them in to sites like: http://samy.pl/androidmap/index.php [samy.pl]

I would assume Android is the culprit here. I expect Google buried some lawyer speak deep in an EULA making this activity perfectly legal. I'm not okay with it though.

Not really. My home (static, used for a long-long time) ip address was paired with coordinates roughly three years ago, long before I used an android phone at home. It locates me with a scary precision ~10 meters. I live 10 meters away from the street.

Then change the MAC addresses. It's public information that you broadcast. If you're not OK with it, don't do it. Put your network on silent mode, or set up some encryption. Skyhook has been doing this for years before Google was doing it. This is how it's possible to Geolocate a person when their on Wifi with a Wifi-only device. iPad's, for instance, depend on it.

But the fact is, your MAC address is not tied to you in the same way your IP address is. I can't go to your ISP and demand they tell me wh

Actually, considering cable operators require the mac of the modem to provide service, and others can simply check via ARP if they don't have it on file, An ISP can pass out your external MAC with ease. Your internal less so, but that's not the issue here is it?

I expect Google buried some lawyer speak deep in an EULA making this activity perfectly legal. I'm not okay with it though.

It's hardly buried deep. There's a whole section in Android settings panel to control it - "Location and Security Settings". You can just turn off certain location service types if you want. If there even was anything evil and unwanted going on, people will bring out some ROMs with all that crap disabled for those that don't want to help improve the location databases. I think when you first connect up your account it asks you if you want to enable your location in Latitude and allow the phone to connect lo

Okay, so you're bothered about them recording public information rather than them secretly tracking your phone no matter what settings you choose.

If you don't want your internal MAC addresses being publicly broadcast, use cables instead of WiFi. Pretty obvious and simple. If you were singing loudly with your window open, you couldn't complain about people recording the noise from the street. Likewise you can't complain about people recording radio transmissions and identifiers that you're knowingly spewing

Google's business is built on having data about people. Google drives around and collects even more data about people from personal WiFi hotspots, PC WiFi cards, and phones. Only the truly naive can possibly believe this is accidental. The whole "big clumsy cuddly bear stumbling around doing silly things" excuse is getting very old, Google. Stop playing us for stupid.

Of course it wasn't accidental. But it was for only for geolocation purposes. You think they don't have enough personal data from people's email etc anyway if they really wanted it? They could do keylogging from Chrome on specific targets if they wanted to. They could hire private investigators to place cameras. They could use people's Gmail usernames and passwords to log into paypal accounts, etc, etc, etc, blah blah blah.

They are making money hand over fist from ads and Android already. It's moronic to se

No, Google's business is about having data to GIVE to people. Then display ads relevant to the information you asked for.

Being able to give people accurate location information based on what wifi AP they're near by is good information. It's far easier and requires a lot less battery power than GPS. It's also less accurate than GPS which is a good thing if you're worried about location privacy.

Having accurate location information allows me to search for "tacos" and get some kind of local result. Cell phone t

We've already heard the method they were using for capturing MAC addresses and how sloppy it was. We already knew they were collecting random packets, then truncating them to include the MAC Address and a small portion of the payload and then saving them. We know some of those payloads include packets sent by people GASP on their phones or laptops, therefore it stands to reason some of the MAC addresses must also be from those phones and laptops. We knew this months and months and months ago, but apparently CNET didn't make the connection so easily.

It's like we just keep rehashing the same old story over and over and over because nobody understood it the first time, and someone comes and puts a new spin on old data and suddenly it lives again. The thing is, you can change a registry key and change your MAC address. There's no big table of data somewhere that connects your MAC address to specific person. It's not even remotely the same as an IP address. Oh sure, you can say "Hey the MAC address of this device on my network matches the one on my network yesterday" but not "Hey, that's my neighbors MAC address" unless you've got some sort of access to the device in question.

So Google may know that a certain device was one place and also another place, but that's about the extent of the correlations they can really make with this data. Again, just as before, there's no reason to assume malice when sloppy coding is much more logical explanation. Google has nothing to gain and much to lose (PR-wise) by doing something like this on purpose, and a very reasonable and believable explanation was offered. Conspiracy theorists can continue to beat this dead horse if they like, but I'm an Occam's razor fan.

I'm sure that's true for most MAC addresses, but I have to wonder if it isn't for a large minority. It's technically easy enough to do it for hardware supplied by the network provider (some routers, cell phones). And I'd assume in many cases companies like Appie also would have an easy time making the connection between a unique serial no and the devices MAC, if a piece of hardware is registered with them either explici

The news keeps rehashing this story because it's sexy as heck, and gets lots of attention. Got a new angle on it? Republish as if it were a brand new news item and profit from the new attention and uproar. Advertisers love it, too.

That being said, I'd be a lot more okay with this if there was actually a stated reason for it, because then I could know whether I should do something about my wifi's visibility...

Why is this new? The StreetView cards were set to promiscuous mode, since they sniffed data packets not intended for them. It stands to reason they recorded responses from the end devices too, not just the AP->device traffic.

Sir, i comment on this comment so it stands out a little bit more over the ignorant comments.

We already know Streetview captured all packets it received, didn't we? It dropped those containing privacy sensitive data. It kept those packets that identify devices. It just so happens not all devices where geo-stationary. Why is this news, again, Slashdot??

So we have had Google's explanation for what happened, and how a coder got lazy and just modified some existing packet capture software (which captured all packets, instead of just the ones used by networks to announce themselves). Rather than actually writing some simple routines to select which packets to record and properly remove all the payload data, he simply let it record every packet with *most* of it truncated. This left the MAC address and sometimes a portion of the payload data behind.

1. It it was with so "*most* of it truncated" they still got details like- username and password.http://www.macworld.com/article/158671/2011/03/google_streetview.html [macworld.com]
"There's absolutely 0 new information here" - they got fined in court 100,000 euros, about $143,000 i.e. the nothing wrong line repeated so so many times is now 'old'

...but shouldn't the real story be about how much information your gadgets are just leaking all over the place? Google didn't break into people's homes and write down the MAC addresses of every piece of tech they could find, they just recorded what was already being blasted through the airwaves. Now, I'm not saying this makes it all ok, but at least we KNOW Google is doing it - what's to stop other companies/groups/individuals from doing the same? The real issue is that the information is out there, not tha

afaik, your street address is NOT private information. Barring the boonies and any illegal housing projects youre on a map somewhere. I havent seen a dead tree copy of yellowpages in a few years, but in some places residential addresses are listed in the book along with name and landline #

A street address does not reveal what your online activities may be. But between you and your hardware mac addresses and your isp with their assigned ip address, one can most certainly sniff out passing packet information. A I am sure you know there are federal laws that prevent others from accessing your mail and reading it.
IMHO any packet passing through your router via modem via your isp should have the same outright protection as a letter in your mailbox. Regardless if your wifi is password protected.

My friends at Google swear up and down that every line of code in the Google codebase is reviewed several times before it is signed off and released for any purpose. Some would have caught this; it's obvious from the data what is happening. So, either my friends are liars, or Google is. I trust my friends more.

Yes cars all over the world getting all that data and nobody 'found' it during local beta testing... or during a review. They just signed off on it, stage after stage...
Its all just that "one" person using net code that one time... just once and it got past all the smart people all over the world looking after data collection in all the cities... all the trials, testing, reviews - they all missed it.
How strange was that.

My friends at Google swear up and down that every line of code in the Google codebase is reviewed several times before it is signed off and released for any purpose. Some would have caught this; it's obvious from the data what is happening. So, either my friends are liars, or Google is. I trust my friends more.

I'm sure they do this reviewing and testing for production code running on their servers. But for tools that will never run anywhere near the net and which are basically one-off affairs to gather data? I bet "seems to work so far" is all that's needed then.

It might be good if some of the smart people commenting here would become familiar with MAC addresses and what they're used for.

You seem to understand that DNS maps domain names to IP addresses - but what maps that IP address to your specific hardware?

Those who say you can change the MAC address to anything you want - maybe they understand that they're assigned in such a way that duplication is rare to impossible. For extra credit, describe what would happen if two devices shared the same MAC address.

Unless the two devices are on the same network segment, nothing happens at all, if they are on the same segment (I heard there was a chinese NIC manufacturer that was shipping cards with all the same MAC addresses) then your network becomes a netdoesn'twork

has come to life! Or whatever they called it on southpark. I for one, will not be on google+ as from the beginning it reeked of snooping, and since its designed to be one better than facebook, well... of course its going to do that.

They recorded either all raw radio wave data or minimally converted everything to digital according to the WiFi protocols. So if someone accessing their bank at the the time Google drove by then Google captured their bank data. If someone used weak pass phrases for their WiFi then the stored data is easily decoded.

I am very libertarian. It doesn't matter if a law says I can't listen into a radio wave, the truth is I can and so can anyone else. It's my fault for not encrypting my data securely. It's my responsibility to know that encryption has it's best practices and to use them as well as to be informed that I am taking a calculated risk in transmitting data wirelessly since nothing is guaranteed.

Radio signals are public.The trick is decoding them. Decoding them should not be illegal since bad guys don't obey the law. To me it's like arresting people for eves dropping at the next table when people can clearly hear them at the other end of the room. If you want privacy, go somewhere private and secure.

The information is BROADCASTED publicly -- if you don't want them to see you then Wifi has the option of hiding the network name; which is clearly indicating that you don't want others seeing you - without doing that you are willfully going naked from view of a PUBLIC SPACE -- so its 100% fair game they snap your photo and there is nothing you can do about it (or should expect to.)

One could argue that merely broadcasting things into the public space is enough; however, due to the nature of the technology th

Well, we already know how this happened and Google's explanation was pretty reasonable and simple--but it all boiled down to sloppy coding, which I suppose is a sort of 'evil'. But at least then it's just one persons' own evilness, and not an entire companies. Oh, sure, some conspiracy theorists still think Google did this all on purpose, but those theories really don't fit the facts very well.

"Sloppy coding" explains that they captured they data. The fact that they saved it for years, and presumably processed that data, indicates it goes beyond just being "sloppy". If you think about the steps, there's capturing the packet data, which certainly might capture more than you want to look at. Could be an accident. Then there's logging the data. Seems unlikely that you would log more than you need, after all, we are talking about a LOT of data. And then there's processing the data, where you ce

They just vacuumed up as much data as they could snarf w/o worrying about whether it was legal or not, because that's the way they roll, and now they are paying the price. Maybe they'll be a bit more careful in the future.

Many data analysts adhere to the motto, capture first, prune later. It's not like the data costs them a lot of money sitting there waiting for script to happen.

And BTW, the future is already here. The sloppy code in question probably dates back to 2006 if the data collection began in 2007. Internal policies could have changed three times over since then.

And a big round of -1 for all the people out there running unsecured Wi-Fi for the convenience of having no drapes.

Sorry... I have never understood what was evil in the first place.They didn't crack WEP or WPA at each wifi hotspot and gather data did they?If you wifi is announcing stuff out loud for the world to hear, then why is Google in trouble for listening?

Actually it's not similar, it's way worse. Apple cached information about the user location on the user's terminal, for performance purposes (although it wasn't stored in the safest way possible). Google grabbed this info from the street, without asking permission, and used that information for business purpose (and not a very fair one, see the Skyhook vs. Google lawsuit). Plus, the notion that a company can collect data “accidentally” is laughable, especially considering the process in which it was acquired.

How so? They ran Kismet, which if paired with a GPS captures the location of everything (both APs and devices). If you want to filter out devices, you probably need to change the code, since I've never seen an 'ignore clients' option in Kismet.

Personally, I found the capture of actual data from unencrypted networks (well, from any networks, but others are irrelevant) is pretty bad, but this? Who cares if they know that MAC address X was at location Y? It's not like there's a database linking MAC address to

How so? They ran Kismet, which if paired with a GPS captures the location of everything (both APs and devices). If you want to filter out devices, you probably need to change the code, since I've never seen an 'ignore clients' option in Kismet.

Maybe their project manager should have realized that 'accidentally' collecting that data could have legal and PR consequences, and that it might be worth their while to make sure that they don't 'accidentally' collect that data.

Nah. Project management is for suckers. Just go out there and do dumb things - it'll work out in the end.

I've used Kismet to do site surveys before. By default, it's dumping packets for anything it can find. I could probably go through my laptop and find old caps with fragments of data from neighboring networks that had nothing to do with the entity that I was surveying. With that in mind, it's not particularly shocking that Google has done something similar. But do keep trying to push this as an intentional, malicious, or at least "dumb" act. Because everyone likes ignorance if it's packaged in snark.

If it's the MAC address of my smartphone, which I'm likely to carry around with me more or less all the time, I care a lot about who knows where that MAC address has been.

So it is ok for the phone company (and thus any law-enforcement agency who chooses to ask) to know where your smartphone has been but not Google (or John Doe driving the neighborhood in his '96 Civic while running Kismet)?

Well, it's nobody's business if I don't mind being tracked by my phone company and law enforcement but mind being tracked by Google. Let's remember that I explicitly gave my phone company permission to do that (by contracting their services), but never gave Google that permission.

The reason why I don't see this as a real problem is because firstly it wasn't tracking, just a one time recording, and unlike the phone company Google has no real way of knowing who that address belongs to.

Your post is bizarre. According to you, it's okay for Google to spy on you because your neighbor might be spying on to too. You also ignore the fact that people explicitly give permission to phone companies to know their MAC address, while Google drove their data-sniffing software around residential areas without warning.

If it's the MAC address of my smartphone, which I'm likely to carry around with me more or less all the time, I care a lot about who knows where that MAC address has been. While Googles rather idiotic behaviour just (may have) recorded, where said MAC address was at one point in time, the statement above is, in its broadness, quite a bit more than I would like to have to stomach.

Sure, if it was a MAC tracking, that would've been a very different situation. But it wasn't, so let's not cloud the issue.

yet. It's not like nobody could ever come up with that smart idea.

Then the true problematic privacy violation would be perpetrated by that person/entity, not Google.

Google attempted to deliberately record the location of all open wifi hotspots. What the 'accidental' part was, is that they recorded all the open wifi hotspots that shouldn't have been open - ie home users who hadn't protected their devices.

From a technical viewpoint, there's no difference between Starbuck's open wifi, and the one at my home. The point of all this is that Google's access wasn't malicious, they did accidentally collect data they didn't intend to - which is very obvious after the fact, I gue

From a technical viewpoint, there's no difference between Starbuck's open wifi, and the one at my home. The point of all this is that Google's access wasn't malicious, they did accidentally collect data they didn't intend to - which is very obvious after the fact, I guess no-one thought about it enough beforehand.

They "accidentally" collected this data for 4 years, totaling over 600 gigabytes of data. Furthermore, they only admitted to it under inquiry from German regulators. Come on.

Yeah, only a non-programmer would think that software doesn't just "accidentally" record extra information that it wasn't programmed to...

C'mon, how do you write a program to log all MAC addresses, and not realize that it's going to collect all MAC addresses? Do you think they just talk to their vans and there was some sort of ambiguity? Like they said, "Google Van, please record MAC addresses and GPS coordinates", and it just interpreted it wrong because they were unclear?

C'mon, how do you write a program to log all MAC addresses, and not realize that it's going to collect all MAC addresses? Do you think they just talk to their vans and there was some sort of ambiguity? Like they said, "Google Van, please record MAC addresses and GPS coordinates", and it just interpreted it wrong because they were unclear?

You don't write your own software. You use a common off-the-shelf app that provides a data dump with everything you need. It's called Kismet. You should take a look at it.

Yeah, it's so evil to create a system that allows geo-location without GPS *rolleyes* I'm sure they did this only to make the lives of stalkers easier. Certainly they would never try to do anything as helpful as allow people with crappy phones to get better location info.

Sweet, so we all have "spy gear" built into our laptops and phones now! Scanning for local wifi devices/data now qualifies you to be a spy - cool! I'm off to apply to MI5.

Oh fucking please, they used vehicles equipped with average off-the-shelf wifi equipment to collect data that devices were openly broadcasting.

What does it being off-the-shelf equipment have to do with anything? It doesn't matter if they were "openly broadcasting." By that logic, I could stand outside your house with extra-sensitive microphones and listen to the conversations your having. After all, you're "openly broadcasting" the sound waves through the surrounding atmosphere.

But really, they've already explained what they were doing, it it makes perfect sense why others were hit by it. Google was gathering information on public access points to be able to map them, the access point data that was gathered was from routers that were set to appear as Public (unencrypted and non-hidden).

Slashdotters keep focusing on the fact the routers were unencrypted, and that doesn't matter legally or ethically. By that logic, I could listen in on the conversations in your house from the street

It already has. This is the same story for eons ago rehashed in yet another way with absolutely no new information whatsoever. Obviously, if we had payload data it wasn't from routers, so obviously there had to be MAC Addresses that weren't from routers either. We already knew all of this months and months and months ago and it caused at least as big of an uproar back then as the Apple location thing. In fact, it was bigger--since we still have governments investigating Google over this while Apple largely skated by unnoticed (other than some congressional testimony).

Obviously, if we had payload data it wasn't from routers, so obviously there had to be MAC Addresses that weren't from routers either.

Really? So, when this story first came out, you think it was "obvious" that Google was collecting MAC addresses from client devices as well? I don't mean in retrospect now that this story is out, but that at the time, you *specifically* had the thought "they also collected MAC addresses from clients, not just from the access points."?

And further, you think that this is something that most people thought as well? Really?

It's actually not that mysterious as to why they did this. Android has a "nifty" feature that uses WIFI access point triangulation to improve location accuracy of the handsets, and it works even when GPS is turned off.

No way this was "accidental", as they're using the fruits of it quite readily.

Meh. The telephone companies have been doing this for a while now. The wifi chip in your phone records nearby SSIDs even when you have turned your wifi off. The telephone companies record which SSIDs you're near and this allows them to more quickly determine your location for the numerous reasons they might want to do so. I don't believe that anything I'm broadcasting over the air-waves is private. The fact that Google also recorded this information is irrelevant to me.

Apple's issues were fairly similar to be honest, in both instances it was bad coding/poor-judgment by engineers creating bad privacy practices that were, in both cases, largely overblown in the media. Google, to its credit, at least had the decency to step up and say "Yeah, our mistake. We're sorry." while Steve Jobs COMPLETELY DENIED that the iPhone tracked users. In my book, that makes him a big liar. Apple's weasely response, no doubt, would be that if the data doesn't get uploaded to them its not really "tracking". But, practically speaking, that argument doesn't hold any water since the record is created, sometimes (but not always) finds it way to Apple, and its existence creates a liability for its users even if it isn't in Apple's hands. Neither company was being malicious or trying to invade their user's privacy, but at least Google showed a lot more forthrightness and honesty while Apple tried to hide the issue.

Google shouldn't have admitted anything. They made a mistake by leaving a debugging feature in production code and collected a lot of data they shouldn't have. The right thing to do would have been to handle the problem internally - fix the problem and delete the data, end of story, no harm done. By admitting they made a mistake they're only putting themselves in trouble and potentially allowing governments to get access to the data.

You actually believe their story that they accidentally enabled a "debugging feature" for all the years they collected and archived the data? Even more incredible, you're actually arguing that it should have been kept a secret and that the public should never have found out about it?

The only reason Google admitted it in the first place was due to threat of investigation by the German government. If Google had their way, we most definitely would have never known about it. That's not a good thing.

You don't necessarally have to code specifically for it, if it is doing something similar with a different goal. The idea google was after was to map open hotspots, IE to have a map of what coffee shops, resteraunts hotels etc... To do that it would have to triangulate the location, which involves connectiong to the open access point, more or less ping it or send it a few signals, listen for those signals back, as it drives, and use the time variance to find the source, yes they picked up random bits of oth

Not to mention probably more than half the posts on every site that runs this story will be "ZOMG! Google does NO evil!" with rushes to explain away everything they did while ignoring if it wasn't for the Germans demanded to see what data was collected in the first place nobody would have even found out how much Google was snatching.

I just hope that whomever at Google came up with that stupid slogan got a free car and a hell of a bonus check, because that thing seems to work like a magic shield that makes

I have to ask. In every Google article on Slashdot, I notice these angry anonymous posts attacking people who are critical of Google. It's obvious that it's the same person. Do you work for them or something?

You (and most news articles I have read on this) fail to miss the point: this is locally public information. Publishing it worldwide may not be in violation of any laws in print (debatable), but that does not make it morally defensible.

To invoke a car analogy: this would be similar to having a worldwide database tying each license plate to its physical location on the planet. Sure, it's public information, since anyone nearby can do the same. But since each license plate can be uniquely tied to its owner, i

So what you're saying is that if I whip out my phone in the streets of NYC, snap a shot of traffic, and fail to then photoshop out all the license plates before posting that shot on the web, I'm being morally indefensible?

Google wants to collect MAC addresses. They do that on purpose. But they don't want mobile MAC addresses. They want FIXED ones, because that's what helps them Geolocate. Again, this all traces back to the same lazy coder who just copy and pasted some packet sniffing code into his project without bothering to change it to be smart enough to only record open wifi routers broadcast packets or to properly truncate the packet down to the MAC address. Instead he just had it take EVERY packet, keep the first 64 bytes, and dump the rest. This resulted in useless mobile MAC addresses also being recorded along with all the payload data that got Google into so much trouble.